Understanding
security incident
and event
management

Author: Shane Schick

Security incident and event management (SIEM) technology helps organizations do what might otherwise be impossible for even a large and well-trained IT team working with outdated tools: identify the full scope of potential risks and how to mitigate them.

By aggregating threats, analyzing them and alerting network security monitors to their presence, SIEM solutions help businesses stay one step ahead of cyber threats. A robust SIEM can cover an organization's entire infrastructure, collecting data from servers, domain controllers, network devices and other sources.

How security incident and event management works

SIEM culls data from basic intrusion detection tools and firewalls as part of its intelligence-gathering process, but it goes farther than either does alone. It provides rich reporting capabilities that help businesses understand current trends and where IT systems might be vulnerable to attack.

Companies can use security incident and event monitoring solutions to identify abnormal behavior—such as a login attempt at an unusual time or an unauthorized download onto an endpoint—that might otherwise get ignored or missed. SIEM can cross-reference suspicious activity against established business rules and curated threat intelligence, and then alert the IT security team. Correlating anomalies between devices and endpoints can provide IT departments with forensics that can dramatically improve how they assess and address risk.

SIEM and SOAR

Even then, organizations need skilled analysts to respond to alerts. And sometimes analysts might need to synthesize information about multiple threats and figure out if and how they're connected. That's why many organizations build on their SIEM deployment with security orchestration and automated response (SOAR) technology.

SOAR solutions ensure that security analysts aren't wasting time inspecting false positives from SIEM alerts. They can root out “false positive” warnings about suspicious activity and mitigate security incident and event management threats by triaging. This lets analysts focus on higher-level security issues.

Whether you combine SIEM and SOAR solutions will largely depend on how many threats your organization faces and the resources typically required to investigate and resolve security issues. Working with the right partner will ensure that you're protected by consistent, scalable processes designed to address the most common attack vectors and risk scenarios.

As organizations use SIEM and SOAR in tandem, their analysts and other IT security teams will become more collaborative—and more efficient in keeping incidents at bay.

Explore Verizon's latest security research and get a free rating and security analysis.